I'm an italian student of computer engineering.
I'm preparing the final test about security of mobile banking. I need to know how banks grants the security of their transaction (at the low level and not high one) and if there are some vulnerabilities.

If you don't have these information could paste only the link which have them.

hope in a useful answer

regards
mamidd

October 24th, 2011, 06:48 PM

ua549

AFAIK each of the major banks select and use their own security measures.
Those measures can vary by customer as well. For example Bank of America uses SSL plus the usual userID/password along with other account identifiers such as the state where the account is located and a user selected icon to protect against site forgery. A customer can optionally use an RSA SecurID for additional security. Bank of America along with most other banks have their own mobile application that eliminates the use of a browser.

October 25th, 2011, 04:08 PM

mamidd

i known these things. i want to know more of specific information. Such as how bank and customers exchange information? how bank can grant security during the communication with its customers?

November 4th, 2011, 06:12 PM

nihil

@mamidd,

I am afraid that I do not understand your question :confused::confused:

You log in to the banking system with your user id, password and a token?................

The bank send you session credentials, which it subsequently uses to verify that it is you they are talking to.

You do your business and logout.............the session is closed and the credentials are invalid?

November 5th, 2011, 12:07 AM

ua549

More specific information is proprietary and disclosure of same is in itself a security breach.
Proprietary security methods and procedures is not an appropriate topic for public discussion.

November 5th, 2011, 11:57 AM

nihil

The systems being discussed here have already been placed in the Public Domain by their providers by virtue of them offering the services to members of the general public.

I would have thought that the only vendor or provider specific details that might be privileged would be in the areas of design and implementation and not really have any relevance to security. From an academic viewpoint one is allowed to assume that whatever has been done has been done properly?

The underlying requirements would be (from the user's viewpoint):

1. Establish a secure connection.
2. Ensure that the connection is with whom it is supposed to be.
3. Authenticate your credentials securely.
4. Close the session/connection properly.
5. Don't leave any compromising traces lying around.

As far as the bank is concerned all they are really interested is that the user provides the required authentication details and a valid transaction type. Typically this would be user ID, account number and password. In more sophisticated systems a part of the authentication may come from a dynamic or static token device.

If you think about it, the most common mobile banking transactions are conducted using a plastic card and a 4 digit PIN? These days you generally have chip and PIN, where the chip acts as a form of token device and the PIN is the password.

I guess the question arises of what do you mean by "mobile banking"?

There are three basic sorts:

1. Plastic card
2. Telephone
3. Internet

And what do you classify as a "transaction"?............. different types have different security implications.

November 5th, 2011, 02:42 PM

ua549

Actually there are several security layers and protocols being used in remote banking transactions that the user is not aware of. Many of them are related to the data presented such as an account type, number or request, not user sign on authentication.